converting php4 class to php5: help replacing "var $thisvar;" to php5 equivilant

Question

i found a user login script online which i later foundd out had been written in PHP4, and i am in the process of updating it to PHP5 and learning OOP at the same time :)

a snippet of my user class is

<?php
session_start();   //Tell PHP to start the session
include("include/database.php");
include("include/mailer.php");
include("include/form.php");

include("constants.php");

class user
{
var $username;     //Username given on sign-up
var $firstname;
var $lastname;
var $userid;       //Random value generated on current login
var $userlevel;    //The level to which the user pertains
var $time;         //Time user was last active (page loaded)
var $logged_in;    //True if user is logged in, false otherwise
var $userinfo = array();  //The array holding all user info
var $url;          //The page url current being viewed
var $referrer;     //Last recorded site page viewed
var $num_active_users;   //Number of active users viewing site
var $num_active_guests;  //Number of active guests viewing site
var $num_members;        //Number of signed-up users

/**
* Note: referrer should really only be considered the actual
* page referrer in process.php, any other time it may be
* inaccurate.
*/

public function __construct(db $db, Form $form)
{
    $this->database = $db;
    $this->form = $form;
    $this->time = time();
    $this->startSession();

    $this->num_members = -1;

    if(TRACK_VISITORS)
    {
        /* Calculate number of users at site */
        $this->calcNumActiveUsers();

        /* Calculate number of guests at site */
        $this->calcNumActiveGuests();
    }


 }      
/**
* startSession - Performs all the actions necessary to 
* initialize this session object. Tries to determine if the
* the user has logged in already, and sets the variables 
* accordingly. Also takes advantage of this page load to
* update the active visitors tables.
*/
function startSession()
{

    /* Determine if user is logged in */
    $this->logged_in = $this->checkLogin();

    /**
    * Set guest value to users not logged in, and update
    * active guests table accordingly.
    */
    if(!$this->logged_in)
    {
        $this->username = $_SESSION['username'] = GUEST_NAME;
        $this->userlevel = GUEST_LEVEL;
        $this->addActiveGuest($_SERVER['REMOTE_ADDR'], $this->time);
    }
    /* Update users last active timestamp */
    else
    {
        $this->addActiveUser($this->username, $this->time);
    }

    /* Remove inactive visitors from database */
    $this->removeInactiveUsers();
    $this->removeInactiveGuests();

    /* Set referrer page */
    if(isset($_SESSION['url']))
    {
         $this->referrer = $_SESSION['url'];
    }
    else
    {
        $this->referrer = "/";
    }
    /* Set current url */
    $this->url = $_SESSION['url'] = $_SERVER['PHP_SELF'];
}

/**
* checkLogin - Checks if the user has already previously
* logged in, and a session with the user has already been
* established. Also checks to see if user has been remembered.
* If so, the database is queried to make sure of the user's 
* authenticity. Returns true if the user has logged in.
*/
function checkLogin()
{
    /* Check if user has been remembered */
    if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookid']))
    {
        $this->username = $_SESSION['username'] = $_COOKIE['cookname'];
        $this->userid   = $_SESSION['userid']   = $_COOKIE['cookid'];
    }

    /* Username and userid have been set and not guest */
    if(isset($_SESSION['username']) && isset($_SESSION['userid']) && $_SESSION['username'] != GUEST_NAME)
    {
        /* Confirm that username and userid are valid */
        if($this->confirmUserID($_SESSION['username'], $_SESSION['userid']) != 0)
        {
            /* Variables are incorrect, user not logged in */
            unset($_SESSION['username']);
            unset($_SESSION['userid']);
            return false;
        }

        /* User is logged in, set class variables */
        $this->userinfo  = $this->getUserInfo($_SESSION['username']);
        $this->username  = $this->userinfo['username'];
        $this->userid    = $this->userinfo['userid'];
        $this->userlevel = $this->userinfo['userlevel'];
        $this->lastlogin = $this->userinfo['lastlogin'];
        $this->townid = $this->userinfo['placeID'];

        return true;
    }
    /* User not logged in */
    else
    {
        return false;
    }
}
}
$db = new db($config);
$form = new Form;
$user = new User($db, $form);

but i've been told the var $username; etc are not very secure and should not be used, so im here to ask what should i use instead?

do i do something like this for each var?

private $username;

/**
 * @return the $username
 */
public function getUsername() {
    return $this->username;
}

/**
 * @param $newUsername
 * the username to set
 */
public function setUsername($newUsername) {
    $this->username = $newUsername;
}

thanks

Answer 1

var is equivalent to public. By making all the member variables private and adding getters (but not setters) to each of them, you're effectively making it so that other developers who use your API cannot [accidentally] update the values. That's what's meant by "secure" -- it's not as though someone will be able to hack into your server or access data if you don't declare them with the right privacy level*.

If you're going to add a setter as well, I'd say you're wasting your time (although others will disagree with me). You've giving them full reign over the variable anyway. The only advantage is that you can squeeze some other computations in your getter/setter down the road if you decide you want to store the value differently.

* Although another developer might accidentally expose information he shouldn't, such as a password.